As a leading provider of lottery and gaming solutions, IGT must meet business needs for speed to market while maintaining rigorous application security throughout the development process.
Integrating IBM Security AppScan on-premises application security software into its software development lifecycle helps IGT to meet software security assurance standards and continue to meet all regulatory requirements.
Reducedhundreds of false positive findings in one application scan to 18 “must fix” sections of code
Automatedapplication scanning integrated with the development lifecycle
Enablessecurity by design approach to lowering risk
Business challenge story
Addressing application security in a rapidly changing, high-risk industry
When software is at the core of your business and your customers present a high-profile target for cybercrime, application security becomes a driving factor. That’s the case at IGT, a leading global gaming Company with clients across more than 100 countries.
IGT products and solutions enable players to experience their favorite games across all channels and regulated segments, from gaming machines and lotteries to interactive and social gaming. Innovating to stay ahead of changing player preferences and meeting customization requirements of IGT’s gaming industry clients translate into an environment where thousands of developers are continually turning out new code.
Making that software secure at the application code level—making it resistant to attacks even in the unlikely event that intruders get past perimeter defenses—is the mission of IGT’s Application Security Practice. The challenge lies in reducing risks in software without impeding the business need to get new, updated, or customized products to market as quickly as possible.
“When we asked people to participate in the application security process, we heard concerns that it could jeopardize delivery schedules and results,” says Dragan Pleskonjic, Senior Director Application Information Security. “My answer was that one single lapse in security could seriously harm our Company or customers, and have a significant impact on our reputation. We work in the lottery and gaming business, and we cannot take that risk.”
Automating application scanning for greater efficiency
Today, the Application Security Practice is a mandatory component of the software development lifecycle at IGT. It follows a formal Software Security Assurance set of best practices that helps ensure proactive application security testing, and includes processes and tools for risk assessment, threat modeling, static and dynamic code analysis, vulnerability assessment, and penetration testing.
Because it takes place from the outset of code development, static code analysis has the greatest potential to impact delivery times and speed to market. “We practice what the industry calls ‘shift left,’ which means we focus on catching issues as early as possible in the process. That’s where it costs the least to fix them,” says Dragan Pleskonjic.
The Company selected the IBM Security AppScan family of products for static code analysis of internally developed software. With AppScan being used on hundreds of applications, IGT is a leading user as well as a member of the AppScan Customer Advocacy Program. The program is today managed by IBM Business Partner HCL, which also provides service and support for IBM Security application technology in partnership with IBM.
Code analysis takes place at several checkpoints in the development cycle, including: manually at onboarding to establish a baseline; continuously via AppScan integrations with the development environment; automatically at the end of the build cycle and before QA; and at the final security checkpoint prior to production.
“Very early on we realized that we needed automation. IBM helped us develop automation workflows and provided a number of best practices that we have implemented,” says Dragan Pleskonjic, noting that AppScan is designed to enforce coding policies and secure-programming best practices as well as locating critical vulnerabilities.
Early experiences with the process, both with manual scanning and pilots with automated workflows, determined that the IBM solution could meet the need for speed—AppScan could handle more than one million lines of code in an hour. However, the scans were producing large numbers of false positives, consuming developer time hunting down and evaluating what turned out to be non-issues.
During that period, IBM introduced the cloud-based version of a new AppScan feature called Intelligent Finding Analytics, or IFA. This machine learning and AI-based tool analyzes AppScan findings in minutes and reduces false positives by more than 90 percent, a number that over time, with machine learning, can reach more than 98 percent. Moreover, it sorts findings into “fix groups” that show developers precisely where security issues reside in the code, and provides suggestions for remediation.
“We asked for this capability to be available as an on-premises solution, and IBM delivered,” comments Dragan Pleskonjic. “We met with our IBM customer advocate at our Rhode Island location and in one week we had IFA up and working.”
Reducing false positives with AI
When the Company started working with IFA it did a test run with one typical application, Dragan Pleskonjic says. “We found hundreds of potential security issues reported by AppScan. We then parsed those results through IFA and it came down to around 120 issues. Then we looked into the grouping of those issues and found just 18 points in the code that we needed to fix. That was what I would call a significant breakthrough.”
Pointing developers to a few specific sections of code rather than asking them to dig into hundreds of potential security issues is a lot more acceptable to the development team. And using AppScan as a first line of defense against exploitable application code vulnerabilities is helping IGT be proactive rather than reactive about security and create software that is secure by design.
“We are here to help our development teams create solutions and software with as few application security risks as possible,” says Dragan Pleskonjic. “Security tends to be treated like any other feature that can be added onto an application. But security isn’t something a developer can add at the end. You must build security into the application from the outset.”
IGT is the global leader in gaming, with solutions across all channels and regulated segments, from Gaming Machines and Lotteries to Interactive and Social Gaming. Leveraging a wealth of premium content, substantial investment in innovation, in-depth customer intelligence, operational expertise and leading-edge technology, IGT’s gaming solutions anticipate the demands of consumers wherever they decide to play. The Company has a well-established local presence and relationships with governments and regulators in more than 100 countries around the world, and creates value by adhering to the highest standards of service, integrity, and responsibility. IGT has over 12,000 employees.
Take the next step
To learn more about the IBM Security AppScan family of application security products, visit: https://www.ibm.com/security/application-security/appscan